Add option to disable state verification, fix redirect uri bug

[srajiang]

Summary

Fixes #1101
Fixes #1115

See both for more context.

It adds the option to disable state verification during OAuth flow via a stateVerification flag. By default this will be true. When state verification is disabled, stateSecret is no longer required, so this updates error messages associated with that previous hard requirement.

This PR also fixes an issue where the user supplied redirect_uri is not properly being passed as part of oauth/v2/authorize request params. It adds a separate top-level redirectUri parameter that contains the full url and includes some input validation.

Todo

• Add tests for redirectUri configuration error states
• Add test for stateVerification flow (needs new types pulled in)
• Prep documentation PR to follow here
• node-slack-sdk/pull/1329 should be released in node-slack-sdk.

Requirements (place an x in each [ ])

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[codecov]

Codecov Report

Merging #1116 (daf5cee) into main (2f3f499) will increase coverage by 0.79%.
The diff coverage is 86.04%.

@@            Coverage Diff             @@
##             main    #1116      +/-   ##
==========================================
+ Coverage   70.92%   71.71%   +0.79%     
==========================================
  Files          14       15       +1     
  Lines        1324     1354      +30     
  Branches      392      402      +10     
==========================================
+ Hits          939      971      +32     
- Misses        311      312       +1     
+ Partials       74       71       -3     

Impacted Files	Coverage Δ
src/receivers/ExpressReceiver.ts	60.39% <60.00%> (+1.93%)	⬆️
src/receivers/verify-redirect-opts.ts	83.33% <83.33%> (ø)
src/receivers/SocketModeReceiver.ts	89.02% <93.33%> (+4.09%)	⬆️
src/App.ts	83.64% <100.00%> (+0.04%)	⬆️
src/receivers/HTTPReceiver.ts	37.12% <100.00%> (+2.25%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2f3f499...daf5cee. Read the comment docs.

[srajiang]

Updated changes include:

• Moved docs changes to separate PR.
• Utility verification function that throws an error when custom redirect options are incomplete or invalid + tests for those scenarios at App and Receiver levels
• Tests to check that install options are being directly handed over to handleCallback when stateVerification is disabled.
• Did some reorganization of SocketModeReceiver and HTTPReceiver tests sections for readability.

Thanks in advance for your 👀 - I will squash and merge when the PR is ready!

[srajiang]

I have added additional describe sections and reorganized some of the tests here and also in SocketModeReceiver.spec.ts to make the test files more consistent with one another and to make navigating test files / reading test output a little more clear.

[srajiang]

Note: I attempted to incorporate state validation related tests for this, but ran into an issue with the requestHandler being a private function - wasn't sure how to really set up a fake request. I see that we don't really have the same test coverage for ExpressReceiver that we do for the other receivers and I'm wondering if that's a known limitation.

[seratch]

I left one comment. As long as your Slack app has only one Redirect URI in its settings, skipping to have redirect_uri parameter should be allowed. Also, if we add the validation about the existence of redirectUri as a requirement, it'll be a breaking change to many of the existing OAuth ebaled apps. They will need updates when upgrading bolt-js version.

[seratch]

Not setting redirectUri should be allowed. You can initiate the OAuth flow without redirect_uri parameter when your Slack app has only one redirect_uri setting.

I won't repeat the same comment for HTTPReceiver and SocketModeReceiver.

[srajiang]

Good catch. I have modified the check so now it makes sure that if redirectUri is supplied, redirectUriPath is required only.

[seratch]

I added a comment on the corresponding test code side but missing only redirectUri should be okay.

[seratch]

LGTM 👍

[seratch]

Hey, other reviewers! This one is the last pull request waiting for merging in the v3.7.0 release milestone: https://github.com/slackapi/bolt-js/milestone/11 If you have any comments on this PR, submit your reviews by next Monday your Tuesday!

@srajiang Can I ask you to work on the release early next week?

[filmaj]

LGTM! Left a couple minor comments.